javascript link spoofing exploit found!

try this page:

<a href="http://google.com";
onclick="this.href='http://yahoo.com'">Spoof link should go to
google</a>

both in IE and Firefox, users see google in the status bar and assume
that it will go to mozilla, but then at the last second, once users
click the link, the browser actually goes to yahoo. of course you can
obfuscate this by making the onclick a function, defined in some
external file. this is dangerous!

.

Relevant Pages

  • Re: Safari: changing the Google search bar
    ... to the right of the Address bar in Safari? ... I never use Google (the Scroogle.org Scraper ... This has pretty much turned into a thread about Firefox, but there's a great Safari plugin called Inquisitor that adds more functionality than Firefox does. ...
    (comp.sys.mac.system)
  • Re: Google crap
    ... Certainly can with Firefox, however with google the form will be hidden ... doesn't run on my personal computers, and is a security hole, I can't ... Prev by Date: ...
    (uk.transport.london)
  • Re: Firefox 1.5 released
    ... from The Book of Mozilla, ... (get your copy of Firefox and type in ... in the address bar) ... Prev by Date: ...
    (comp.lang.javascript)
  • IE 6 SP 1 java issue
    ... In the address bar is: ... successfully with Firefox. ... updates. ... Prev by Date: ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Firefox Bookmark Sorting
    ... Is there yet a way to sort Bookmarks (from the menu bar) in Firefox? ... can't seem to locate an extension. ... Prev by Date: ...
    (comp.sys.mac.apps)